outbound_smb_traffic
Explanation
This Netography Fusion Portal security event is triggered when outbound Windows Networking traffic is detected (including DCE-RPC, Netbios, or SMB).
What to Look For
When well tuned, this event can detect unauthorized Windows Networking activity, which may be indicative of data exfiltration or exploitation of vulnerabilities. Often, networks interact with cloud hosted Active Directory servers. Discards should be crafted for these known, authorized destination addresses so that unauthorized activity can be detected.
Related MITRE ATT&CK Categories
Updated about 1 month ago